Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nftables monitor disable #2817

Merged
merged 1 commit into from
Nov 19, 2024
Merged

Nftables monitor disable #2817

merged 1 commit into from
Nov 19, 2024

Conversation

cheina97
Copy link
Member

Description

This PR introduces a flag to disable the nftables monitoring routine in liqo-fabric.
This is useful because the monitoring routine uses many resources in some cases (like k3s).
It also disables by default the routine in liqoctl k3s provider.

@cheina97
Copy link
Member Author

/rebase test=true

@adamjensenbot
Copy link
Collaborator

Hi @cheina97. Thanks for your PR!

I am @adamjensenbot.
You can interact with me issuing a slash command in the first line of a comment.
Currently, I understand the following commands:

  • /rebase: Rebase this PR onto the master branch (You can add the option test=true to launch the tests
    when the rebase operation is completed)
  • /merge: Merge this PR into the master branch
  • /build Build Liqo components
  • /test Launch the E2E and Unit tests
  • /hold, /unhold Add/remove the hold label to prevent merging with /merge

Make sure this PR appears in the liqo changelog, adding one of the following labels:

  • kind/breaking: 💥 Breaking Change
  • kind/feature: 🚀 New Feature
  • kind/bug: 🐛 Bug Fix
  • kind/cleanup: 🧹 Code Refactoring
  • kind/docs: 📝 Documentation

@cheina97 cheina97 force-pushed the frc/nftmonitor branch 2 times, most recently from 331847a to 00064fb Compare November 18, 2024 10:52
@cheina97
Copy link
Member Author

/build

@cheina97
Copy link
Member Author

/rebase test=true

@cheina97 cheina97 force-pushed the frc/nftmonitor branch 2 times, most recently from eb43042 to dfc70d9 Compare November 18, 2024 14:00
@cheina97
Copy link
Member Author

/rebase test=true

@cheina97 cheina97 force-pushed the frc/nftmonitor branch 2 times, most recently from 7f7898a to eafe23f Compare November 18, 2024 14:54
@cheina97
Copy link
Member Author

/rebase test=true

@cheina97
Copy link
Member Author

/rebase test=true

@fra98
Copy link
Member

fra98 commented Nov 19, 2024

/merge

@adamjensenbot adamjensenbot added the merge-requested Request bot merging (automatically managed) label Nov 19, 2024
@adamjensenbot adamjensenbot merged commit c40beff into liqotech:master Nov 19, 2024
13 checks passed
@adamjensenbot adamjensenbot removed the merge-requested Request bot merging (automatically managed) label Nov 19, 2024
@frisso
Copy link
Member

frisso commented Dec 2, 2024
edited
Loading

@cheina97 Thanks for this fix, I was encountering exactly this issue (i.e., the 'liqo-fabric' pod constantly consuming one full CPU core).
However, it is not clear to me what this fix leaves behind. Which feature do I loose when this flag is turned off?

@cheina97
Copy link
Member Author

cheina97 commented Dec 2, 2024
edited
Loading

@cheina97 Thanks for this fix, I was encountering exactly this issue (i.e., the 'liqo-fabric' pod constantly consuming one full CPU core). However, it is not clear to me what this fix leaves behind. Which feature do I lose when this flag is turned off?

Hi @frisso

If you disable this feature if someone or something deletes liqo's firewall rules on the nodes they are not restored until a reconcile is triggered (changing a firewallconfiguration resource or waiting for the periodic forced reconcile, which is by default 10 hours) or the liqo-fabric pods restart.

This is just an extra layer of protection against "who" should remove our nftables rules from the host (note that this feature still works in gateways).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fra98 fra98 fra98 approved these changes

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cheina97 @adamjensenbot @fra98 @frisso